Merge pull request #350 from docker/dependabot/github_actions/actions/github-script-8

chore(deps): Bump actions/github-script from 7 to 8

.github/workflows/ci-subaction.yml

@@ -25,37 +25,112 @@ on:
       - 'test/**'
 
 jobs:
-  list-targets-group:
+  list-targets:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          -
+            testdir: group
+            expected: >
+              ["t1","t2"]
+          -
+            testdir: group-matrix
+            target: validate
+            expected: >
+              ["lint-default","lint-labs","lint-nydus","lint-proto","lint-yaml","validate-doctoc","validate-vendor"]
+          -
+            testdir: multi-files
+            files: |
+              docker-bake.json
+              docker-bake.hcl
+            expected: >
+              ["v1-tag","v2-tag"]
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Matrix gen
         id: gen
         uses: ./subaction/list-targets
         with:
-          workdir: ./test/group
+          workdir: ./test/${{ matrix.testdir }}
+          files: ${{ matrix.files }}
+          target: ${{ matrix.target }}
       -
-        name: Show matrix
-        run: |
-          echo matrix=${{ steps.gen.outputs.matrix }}
+        name: Check output
+        uses: actions/github-script@v8
+        env:
+          INPUT_TARGETS: ${{ steps.gen.outputs.targets }}
+          INPUT_EXPECTED: ${{ matrix.expected }}
+        with:
+          script: |
+            const targets = JSON.stringify(JSON.parse(core.getInput('targets')));
+            const expected = JSON.stringify(JSON.parse(core.getInput('expected')));
+            if (targets !== expected) {
+              throw new Error(`Targets do not match expected values: ${targets} != ${expected}`);
+            } else {
+              core.info(`✅`);
+            }
 
-  list-targets-group-matrix:
+  matrix:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          -
+            testdir: group
+            expected: >
+              [{"target":"t1"},{"target":"t2"}]
+          -
+            testdir: group-matrix
+            target: validate
+            expected: >
+              [{"target":"lint-default"},{"target":"lint-labs"},{"target":"lint-nydus"},{"target":"lint-proto"},{"target":"lint-yaml"},{"target":"validate-doctoc"},{"target":"validate-vendor"}]
+          -
+            testdir: group-with-platform
+            target: validate
+            expected: >
+              [{"target":"lint"},{"target":"lint-gopls"},{"target":"validate-docs"},{"target":"validate-vendor"}]
+          -
+            testdir: group-with-platform
+            target: validate
+            fields: platforms
+            expected: >
+              [{"target":"lint","platforms":"darwin/amd64"},{"target":"lint","platforms":"darwin/arm64"},{"target":"lint","platforms":"linux/amd64"},{"target":"lint","platforms":"linux/arm64"},{"target":"lint","platforms":"linux/s390x"},{"target":"lint","platforms":"linux/ppc64le"},{"target":"lint","platforms":"linux/riscv64"},{"target":"lint","platforms":"windows/amd64"},{"target":"lint","platforms":"windows/arm64"},{"target":"lint-gopls","platforms":"darwin/amd64"},{"target":"lint-gopls","platforms":"darwin/arm64"},{"target":"lint-gopls","platforms":"linux/amd64"},{"target":"lint-gopls","platforms":"linux/arm64"},{"target":"lint-gopls","platforms":"linux/s390x"},{"target":"lint-gopls","platforms":"linux/ppc64le"},{"target":"lint-gopls","platforms":"linux/riscv64"},{"target":"lint-gopls","platforms":"windows/amd64"},{"target":"lint-gopls","platforms":"windows/arm64"},{"target":"validate-docs"},{"target":"validate-vendor"}]
+          -
+            testdir: group-with-platform
+            target: validate
+            fields: platforms,dockerfile
+            expected: >
+               [{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/arm64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/arm64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/s390x"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/ppc64le"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/riscv64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/amd64"},{"target":"lint","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"darwin/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/arm64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/s390x"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/ppc64le"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"linux/riscv64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/amd64"},{"target":"lint-gopls","dockerfile":"./hack/dockerfiles/lint.Dockerfile","platforms":"windows/arm64"},{"target":"validate-docs","dockerfile":"./hack/dockerfiles/docs.Dockerfile"},{"target":"validate-vendor","dockerfile":"./hack/dockerfiles/vendor.Dockerfile"}]
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Matrix gen
         id: gen
-        uses: ./subaction/list-targets
+        uses: ./subaction/matrix
         with:
-          workdir: ./test/group-matrix
-          target: validate
+          workdir: ./test/${{ matrix.testdir }}
+          target: ${{ matrix.target }}
+          fields: ${{ matrix.fields }}
       -
-        name: Show matrix
-        run: |
-          echo matrix=${{ steps.gen.outputs.matrix }}
+        name: Check output
+        uses: actions/github-script@v8
+        env:
+          INPUT_MATRIX: ${{ steps.gen.outputs.matrix }}
+          INPUT_EXPECTED: ${{ matrix.expected }}
+        with:
+          script: |
+            const matrix = JSON.stringify(JSON.parse(core.getInput('matrix')));
+            const expected = JSON.stringify(JSON.parse(core.getInput('expected')));
+            if (matrix !== expected) {
+              throw new Error(`Matrix do not match expected values: ${matrix} != ${expected}`);
+            } else {
+              core.info(`✅`);
+            }

.github/workflows/ci.yml

@@ -32,8 +32,8 @@ on:
       - 'subaction/**'
 
 env:
-  BUILDX_VERSION: latest
-  BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
+  BUILDX_VERSION: edge
+  BUILDKIT_IMAGE: moby/buildkit:latest
 
 jobs:
   bake:
@@ -52,7 +52,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -69,6 +69,7 @@ jobs:
         name: Build and push
         uses: ./
         with:
+          source: .
           builder: ${{ steps.buildx.outputs.name }}
           files: |
             ./test/config.hcl
@@ -81,12 +82,13 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Build
         continue-on-error: true
         uses: ./
         with:
+          source: .
           files: |
             ./test/config.hcl
           set: |
@@ -97,7 +99,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Stop docker
         run: |
@@ -108,12 +110,12 @@ jobs:
         continue-on-error: true
         uses: ./
         with:
+          source: .
           files: |
             ./test/config.hcl
       -
         name: Check
         run: |
-          echo "${{ toJson(steps.bake) }}"
           if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
             echo "::error::Should have failed"
             exit 1
@@ -124,7 +126,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Uninstall docker cli
         run: |
@@ -144,15 +146,16 @@ jobs:
         name: Build
         uses: ./
         with:
+          source: .
           files: |
             ./test/config.hcl
 
-  source:
+  remote:
     runs-on: ubuntu-latest
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Build
         uses: ./
@@ -174,7 +177,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -188,6 +191,7 @@ jobs:
         uses: ./
         with:
           workdir: ./test/go
+          source: .
           targets: binary
           provenance: ${{ matrix.attrs }}
           set: |
@@ -215,7 +219,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -229,6 +233,7 @@ jobs:
         uses: ./
         with:
           workdir: ./test/go
+          source: .
           targets: ${{ matrix.target }}
           sbom: true
           set: |
@@ -269,12 +274,13 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Build
         uses: ./
         with:
           workdir: ./test/go
+          source: .
           set: |
             *.platform=linux/amd64
             *.output=type=image,"name=localhost:5000/name/app:v1.0.0,localhost:5000/name/app:latest",push=true
@@ -290,7 +296,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -304,6 +310,7 @@ jobs:
         uses: ./
         with:
           workdir: ./test/group
+          source: .
           push: true
           set: |
             t1.tags=localhost:5000/name/app:t1
@@ -314,7 +321,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set malformed docker config
         run: |
@@ -324,6 +331,7 @@ jobs:
         name: Build
         uses: ./
         with:
+          source: .
           files: |
             ./test/config.hcl
 
@@ -342,7 +350,7 @@ jobs:
           curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set proxy config
         run: |
@@ -361,6 +369,7 @@ jobs:
         name: Build
         uses: ./
         with:
+          source: .
           files: |
             ./test/config.hcl
           targets: app-proxy
@@ -380,7 +389,7 @@ jobs:
           curl --retry 5 --retry-all-errors --retry-delay 0 --connect-timeout 5 --proxy http://127.0.0.1:3128 -v --insecure --head https://www.google.com
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -396,6 +405,7 @@ jobs:
         name: Build
         uses: ./
         with:
+          source: .
           files: |
             ./test/config.hcl
 
@@ -404,7 +414,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -415,15 +425,13 @@ jobs:
       -
         name: Build
         uses: ./
-        with:
-          source: "{{defaultContext}}"
 
   git-context-and-local:
     runs-on: ubuntu-latest
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -439,7 +447,6 @@ jobs:
         name: Build
         uses: ./
         with:
-          source: "{{defaultContext}}"
           files: |
             cwd://${{ steps.meta.outputs.bake-file }}
 
@@ -453,7 +460,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -466,6 +473,7 @@ jobs:
         uses: ./
         with:
           workdir: ./test/go
+          source: .
           set: |
             *.output=type=image,name=localhost:5000/name/app:latest,push=true
             *.output=type=docker,name=app:local
@@ -496,7 +504,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -509,6 +517,7 @@ jobs:
         uses: ./
         with:
           workdir: ./test/go
+          source: .
           targets: image
           load: true
           push: true
@@ -523,12 +532,12 @@ jobs:
         run: |
           docker image inspect localhost:5000/name/app:latest
 
-  disable-summary:
+  summary-disable:
     runs-on: ubuntu-latest
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -543,10 +552,78 @@ jobs:
           files: |
             ./test/config.hcl
           targets: app
+        env:
+          DOCKER_BUILD_SUMMARY: false
+
+  summary-disable-deprecated:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+          targets: app
         env:
           DOCKER_BUILD_NO_SUMMARY: true
 
-  export-retention-days:
+  summary-not-supported:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: v0.12.1
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+
+  record-upload-disable:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+        env:
+          DOCKER_BUILD_RECORD_UPLOAD: false
+
+  record-retention-days:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -557,7 +634,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -573,4 +650,220 @@ jobs:
             ./test/config.hcl
           targets: app
         env:
-          DOCKER_BUILD_EXPORT_RETENTION_DAYS: ${{ matrix.days }}
+          DOCKER_BUILD_RECORD_RETENTION_DAYS: ${{ matrix.days }}
+
+  export-legacy:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        legacy:
+          - false
+          - true
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          targets: app
+        env:
+          DOCKER_BUILD_EXPORT_LEGACY: ${{ matrix.legacy }}
+
+  checks:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        buildx-version:
+          - edge
+          - v0.14.1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ matrix.buildx-version }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          workdir: ./test
+          source: .
+          files: |
+            ./lint.hcl
+
+  annotations-disabled:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          workdir: ./test
+          source: .
+          files: |
+            ./lint.hcl
+        env:
+          DOCKER_BUILD_CHECKS_ANNOTATIONS: false
+
+  allow:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        buildx-version:
+          - edge
+          - v0.19.0
+          - v0.18.0
+          - v0.17.1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ matrix.buildx-version }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          files: |
+            ./test/config.hcl
+          allow: network.host
+          targets: app-entitlements
+
+  no-default-attestations:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Build
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+        env:
+          BUILDX_NO_DEFAULT_ATTESTATIONS: 1
+
+  call-check:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          workdir: ./test
+          source: .
+          files: |
+            ./lint.hcl
+          call: check
+          targets: lint
+      -
+        name: Check
+        run: |
+          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  call-check-multi:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          workdir: ./test
+          source: .
+          files: |
+            ./lint.hcl
+          call: check
+      -
+        name: Check
+        run: |
+          if [ "${{ steps.bake.outcome }}" != "failure" ] || [ "${{ steps.bake.conclusion }}" != "success" ]; then
+            echo "::error::Should have failed"
+            exit 1
+          fi
+
+  call-check-nowarning:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        id: bake
+        continue-on-error: true
+        uses: ./
+        with:
+          source: .
+          files: |
+            ./test/config.hcl
+          call: check

.github/workflows/pr-assign-author.yml

@@ -0,0 +1,17 @@
+name: pr-assign-author
+
+permissions:
+  contents: read
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+
+jobs:
+  run:
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@1b673f36fad86812f538c1df9794904038a23cbf
+    permissions:
+      contents: read
+      pull-requests: write

.github/workflows/publish.yml

@@ -0,0 +1,21 @@
+name: publish
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Publish
+        uses: actions/publish-immutable-action@v0.0.4

.github/workflows/test.yml

@@ -23,15 +23,16 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Test
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
         with:
+          source: .
           targets: test
       -
         name: Upload coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
-          file: ./coverage/clover.xml
+          files: ./coverage/clover.xml
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/validate.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: List targets
         id: generate
@@ -36,11 +36,8 @@ jobs:
       matrix:
         target: ${{ fromJson(needs.prepare.outputs.targets) }}
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
       -
         name: Validate
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
         with:
           targets: ${{ matrix.target }}

.yarnrc.yml

@@ -1,3 +1,9 @@
+# https://yarnpkg.com/configuration/yarnrc
+
+compressionLevel: mixed
+enableGlobalCache: false
+enableHardenedMode: true
+
 logFilters:
   - code: YN0013
     level: discard
@@ -5,9 +11,7 @@ logFilters:
     level: discard
   - code: YN0076
     level: discard
+  - code: YN0086
+    level: discard
 
 nodeLinker: node-modules
-
-plugins:
-  - path: .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs
-    spec: "@yarnpkg/plugin-interactive-tools"

README.md

@@ -14,96 +14,64 @@ as a high-level build command.
 ___
 
 * [Usage](#usage)
-  * [Path context](#path-context)
   * [Git context](#git-context)
+  * [Path context](#path-context)
+* [Summaries](#summaries)
 * [Customizing](#customizing)
   * [inputs](#inputs)
   * [outputs](#outputs)
   * [environment variables](#environment-variables)
 * [Subactions](#subactions)
-  * [`list-targets`](#list-targets)
+  * [`matrix`](subaction/matrix)
 * [Contributing](#contributing)
 
 ## Usage
 
-### Path context
-
-By default, this action will use the local bake definition (`source: .`), so
-you need to use the [`actions/checkout`](https://github.com/actions/checkout/)
-action to check out the repository.
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'master'
-
-jobs:
-  bake:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/bake-action@v5
-        with:
-          push: true
-```
-
 ### Git context
 
-Git context can be provided using the [`source` input](#inputs). This means
-that you don't need to use the [`actions/checkout`](https://github.com/actions/checkout/)
+Since `v6` this action uses the [Git context](https://docs.docker.com/build/bake/remote-definition/)
+to build from a remote bake definition by default like the [build-push-action](https://github.com/docker/build-push-action)
+does. This means that you don't need to use the [`actions/checkout`](https://github.com/actions/checkout/)
 action to check out the repository as [BuildKit](https://docs.docker.com/build/buildkit/)
 will do this directly.
 
+The git reference will be based on the [event that triggered your workflow](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows)
+and will result in the following context: `https://github.com/<owner>/<repo>.git#<ref>`.
+
 ```yaml
 name: ci
 
 on:
   push:
-    branches:
-      - 'master'
 
 jobs:
   bake:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
       -
         name: Login to DockerHub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       -
         name: Build and push
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
         with:
-          source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}"
           push: true
+          set: |
+            *.tags=user/app:latest
 ```
 
 Be careful because **any file mutation in the steps that precede the build step
 will be ignored, including processing of the `.dockerignore` file** since
 the context is based on the Git reference. However, you can use the
-[Path context](#path-context) alongside the [`actions/checkout`](https://github.com/actions/checkout/)
-action to remove this restriction.
+[Path context](#path-context) using the [`source` input](#inputs) alongside
+the [`actions/checkout`](https://github.com/actions/checkout/) action to remove
+this restriction.
 
 Default Git context can also be provided using the [Handlebars template](https://handlebarsjs.com/guide/)
 expression `{{defaultContext}}`. Here we can use it to provide a subdirectory
@@ -112,10 +80,12 @@ to the default Git context:
 ```yaml
       -
         name: Build and push
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
         with:
           source: "{{defaultContext}}:mysubdir"
           push: true
+          set: |
+            *.tags=user/app:latest
 ```
 
 Building from the current repository automatically uses the `GITHUB_TOKEN`
@@ -130,14 +100,82 @@ another private repository for remote definitions, you can set the
 ```yaml
       -
         name: Build and push
-        uses: docker/bake-action@v5
+        uses: docker/bake-action@v6
         with:
-          source: "${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}"
           push: true
+          set: |
+            *.tags=user/app:latest
         env:
           BUILDX_BAKE_GIT_AUTH_TOKEN: ${{ secrets.MYTOKEN }}
 ```
 
+### Path context
+
+```yaml
+name: ci
+
+on:
+  push:
+
+jobs:
+  bake:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      -
+        name: Build and push
+        uses: docker/bake-action@v6
+        with:
+          source: .
+          push: true
+          set: |
+            *.tags=user/app:latest
+```
+
+## Summaries
+
+This action generates a [job summary](https://github.blog/2022-05-09-supercharging-github-actions-with-job-summaries/)
+that provides a detailed overview of the build execution. The summary shows an
+overview of all the steps executed during the build, including the build
+inputs, bake definition, and eventual errors.
+
+![build-push-action job summary](./.github/bake-summary.png)
+
+The summary also includes a link for downloading a build record archive with
+additional details about the build execution for all the bake targets,
+including build stats, logs, outputs, and more. The build record can be
+imported to Docker Desktop for inspecting the build in greater detail.
+
+> [!WARNING]
+>
+> If you're using the [`actions/download-artifact`](https://github.com/actions/download-artifact)
+> action in your workflow, you need to ignore the build record artifacts
+> if `name` and `pattern` inputs are not specified ([defaults to download all artifacts](https://github.com/actions/download-artifact?tab=readme-ov-file#download-all-artifacts) of the workflow),
+> otherwise the action will fail:
+> ```yaml
+> - uses: actions/download-artifact@v4
+>   with:
+>     pattern: "!*.dockerbuild"
+> ```
+> More info: https://github.com/actions/toolkit/pull/1874
+
+Summaries are enabled by default, but can be disabled with the
+`DOCKER_BUILD_SUMMARY` [environment variable](#environment-variables).
+
+For more information about summaries, refer to the
+[documentation](https://docs.docker.com/go/build-summary/).
+
 ## Customizing
 
 ### inputs
@@ -162,17 +200,19 @@ The following inputs can be used as `step.with` keys
 | Name           | Type        | Description                                                                                                                                                        |
 |----------------|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `builder`      | String      | Builder instance (see [setup-buildx](https://github.com/docker/setup-buildx-action) action)                                                                        |
-| `source`       | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/customize/bake/file-definition/#remote-definition)    |
-| `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                     |
 | `workdir`      | String      | Working directory of execution                                                                                                                                     |
-| `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                              |
+| `source`       | String      | Context to build from. Can be either local (`.`) or a [remote bake definition](https://docs.docker.com/build/bake/remote-definition/)                              |
+| `allow`        | List/CSV    | Allow build to access specified resources (e.g., `network.host`)                                                                                                   |
+| `call`         | String      | Set method for evaluating build (e.g., check)                                                                                                                      |
+| `files`        | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                                                     |
 | `no-cache`     | Bool        | Do not use cache when building the image (default `false`)                                                                                                         |
 | `pull`         | Bool        | Always attempt to pull a newer version of the image (default `false`)                                                                                              |
 | `load`         | Bool        | Load is a shorthand for `--set=*.output=type=docker` (default `false`)                                                                                             |
 | `provenance`   | Bool/String | [Provenance](https://docs.docker.com/build/attestations/slsa-provenance/) is a shorthand for `--set=*.attest=type=provenance`                                      |
 | `push`         | Bool        | Push is a shorthand for `--set=*.output=type=registry` (default `false`)                                                                                           |
 | `sbom`         | Bool/String | [SBOM](https://docs.docker.com/build/attestations/sbom/) is a shorthand for `--set=*.attest=type=sbom`                                                             |
-| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (eg: `targetpattern.key=value`)                        |
+| `set`          | List        | List of [targets values to override](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set) (e.g., `targetpattern.key=value`)                      |
+| `targets`      | List/CSV    | List of bake targets (`default` target used if empty)                                                                                                              |
 | `github-token` | String      | API token used to authenticate to a Git repository for [remote definitions](https://docs.docker.com/build/bake/remote-definition/) (default `${{ github.token }}`) |
 
 ### outputs
@@ -183,85 +223,19 @@ The following outputs are available
 |------------|------|-----------------------|
 | `metadata` | JSON | Build result metadata |
 
-## Subactions
-
-### `list-targets`
-
-This subaction generates a list of Bake targets that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix),
-so you can distribute your builds across multiple runners.
-
-```hcl
-# docker-bake.hcl
-group "validate" {
-  targets = ["lint", "doctoc"]
-}
-
-target "lint" {
-  target = "lint"
-}
-
-target "doctoc" {
-  target = "doctoc"
-}
-```
-
-```yaml
-jobs:
-  prepare:
-    runs-on: ubuntu-latest
-    outputs:
-      targets: ${{ steps.generate.outputs.targets }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: List targets
-        id: generate
-        uses: docker/bake-action/subaction/list-targets@v4
-        with:
-          target: validate
-
-  validate:
-    runs-on: ubuntu-latest
-    needs:
-      - prepare
-    strategy:
-      fail-fast: false
-      matrix:
-        target: ${{ fromJson(needs.prepare.outputs.targets) }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Validate
-        uses: docker/bake-action@v5
-        with:
-          targets: ${{ matrix.target }}
-```
-#### inputs
-
-| Name         | Type        | Description                                                                                                                                 |
-|--------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| `workdir`    | String      | Working directory to use (defaults to `.`)                                                                                                  |
-| `files`      | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                              |
-| `target`     | String      | The target to use within the bake file                                                                                                      |
-
-#### outputs
-
-The following outputs are available
-
-| Name       | Type     | Description                |
-|------------|----------|----------------------------|
-| `targets`  | List/CSV | List of extracted targest  |
-
 ### environment variables
 
-| Name                                 | Type   | Description                                                                                                                                                                                                                                                        |
-|--------------------------------------|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `DOCKER_BUILD_NO_SUMMARY`            | Bool   | If `true`, [build summary](https://docs.docker.com/build/ci/github-actions/build-summary/) generation is disabled                                                                                                                                                  |
-| `DOCKER_BUILD_EXPORT_RETENTION_DAYS` | Number | Duration after which build export artifact will expire in days. Defaults to repository/org [retention settings](https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy) if unset or `0` |
+| Name                                 | Type   | Default | Description                                                                                                                                                                                                                                                        |
+|--------------------------------------|--------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `DOCKER_BUILD_CHECKS_ANNOTATIONS`    | Bool   | `true`  | If `false`, GitHub annotations are not generated for [build checks](https://docs.docker.com/build/checks/)                                                                                                                                                         |
+| `DOCKER_BUILD_SUMMARY`               | Bool   | `true`  | If `false`, [build summary](https://docs.docker.com/build/ci/github-actions/build-summary/) generation is disabled                                                                                                                                                 |
+| `DOCKER_BUILD_RECORD_UPLOAD`         | Bool   | `true`  | If `false`, build record upload as [GitHub artifact](https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts) is disabled                                                                                                            |
+| `DOCKER_BUILD_RECORD_RETENTION_DAYS` | Number |         | Duration after which build record artifact will expire in days. Defaults to repository/org [retention settings](https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#artifact-and-log-retention-policy) if unset or `0` |
+| `DOCKER_BUILD_EXPORT_LEGACY`         | Bool   | `false` | If `true`, exports build using legacy export-build tool instead of [`buildx history export` command](https://docs.docker.com/reference/cli/docker/buildx/history/export/)                                                                                          |
+
+## Subactions
+
+* [`matrix`](subaction/matrix)
 
 ## Contributing
 

__tests__/context.test.ts

@@ -1,4 +1,4 @@
-import {beforeEach, describe, expect, jest, test} from '@jest/globals';
+import {afterEach, beforeEach, describe, expect, jest, test} from '@jest/globals';
 import * as fs from 'fs';
 import * as path from 'path';
 
@@ -122,6 +122,7 @@ jest.spyOn(Bake.prototype, 'getDefinition').mockImplementation(async (): Promise
 });
 
 describe('getArgs', () => {
+  const originalEnv = process.env;
   beforeEach(() => {
     process.env = Object.keys(process.env).reduce((object, key) => {
       if (!key.startsWith('INPUT_')) {
@@ -130,6 +131,9 @@ describe('getArgs', () => {
       return object;
     }, {});
   });
+  afterEach(() => {
+    process.env = originalEnv;
+  });
 
   // prettier-ignore
   test.each([
@@ -137,6 +141,7 @@ describe('getArgs', () => {
       0,
       '0.4.1',
       new Map<string, string>([
+        ['source', '.'],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
@@ -144,12 +149,14 @@ describe('getArgs', () => {
       ]),
       [
         'bake',
-      ]
+      ],
+      undefined
     ],
     [
       1,
       '0.8.2',
       new Map<string, string>([
+        ['source', '.'],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
@@ -158,12 +165,14 @@ describe('getArgs', () => {
       [
         'bake',
         '--metadata-file', metadataJson
-      ]
+      ],
+      undefined
     ],
     [
       2,
       '0.8.2',
       new Map<string, string>([
+        ['source', '.'],
         ['targets', 'webapp\nvalidate'],
         ['load', 'false'],
         ['no-cache', 'false'],
@@ -174,12 +183,14 @@ describe('getArgs', () => {
         'bake',
         '--metadata-file', metadataJson,
         'webapp', 'validate'
-      ]
+      ],
+      undefined
     ],
     [
       3,
       '0.8.2',
       new Map<string, string>([
+        ['source', '.'],
         ['set', '*.cache-from=type=gha\n*.cache-to=type=gha'],
         ['load', 'false'],
         ['no-cache', 'false'],
@@ -191,12 +202,14 @@ describe('getArgs', () => {
         '--set', '*.cache-from=type=gha',
         '--set', '*.cache-to=type=gha',
         '--metadata-file', metadataJson
-      ]
+      ],
+      undefined
     ],
     [
       4,
       '0.10.0',
       new Map<string, string>([
+        ['source', '.'],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
@@ -206,12 +219,14 @@ describe('getArgs', () => {
         'bake',
         '--metadata-file', metadataJson,
         "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
-      ]
+      ],
+      undefined
     ],
     [
       5,
       '0.10.0',
       new Map<string, string>([
+        ['source', '.'],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
@@ -222,12 +237,14 @@ describe('getArgs', () => {
         'bake',
         '--metadata-file', metadataJson,
         "--provenance", `builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
-      ]
+      ],
+      undefined
     ],
     [
       6,
       '0.10.0',
       new Map<string, string>([
+        ['source', '.'],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
@@ -238,12 +255,14 @@ describe('getArgs', () => {
         'bake',
         '--metadata-file', metadataJson,
         "--provenance", `mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
-      ]
+      ],
+      undefined
     ],
     [
       7,
       '0.10.0',
       new Map<string, string>([
+        ['source', '.'],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
@@ -254,12 +273,14 @@ describe('getArgs', () => {
         'bake',
         '--metadata-file', metadataJson,
         "--provenance", 'false'
-      ]
+      ],
+      undefined
     ],
     [
       8,
       '0.10.0',
       new Map<string, string>([
+        ['source', '.'],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
@@ -270,12 +291,14 @@ describe('getArgs', () => {
         'bake',
         '--metadata-file', metadataJson,
         "--provenance", 'builder-id=foo'
-      ]
+      ],
+      undefined
     ],
     [
       9,
       '0.10.0',
       new Map<string, string>([
+        ['source', '.'],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
@@ -290,12 +313,14 @@ describe('getArgs', () => {
         '--metadata-file', metadataJson,
         '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
         'image-all'
-      ]
+      ],
+      undefined
     ],
     [
       10,
       '0.10.0',
       new Map<string, string>([
+        ['source', '.'],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
@@ -309,13 +334,13 @@ describe('getArgs', () => {
         '--metadata-file', metadataJson,
         '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
         'image-all'
-      ]
+      ],
+      undefined
     ],
     [
       11,
       '0.10.0',
       new Map<string, string>([
-        ['source', '{{defaultContext}}'],
         ['load', 'false'],
         ['no-cache', 'false'],
         ['push', 'false'],
@@ -328,11 +353,74 @@ describe('getArgs', () => {
         '--file', './foo.hcl',
         '--metadata-file', metadataJson,
         '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
-      ]
+      ],
+      undefined
+    ],
+    [
+      12,
+      '0.17.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['allow', 'network.host'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'bake',
+        '--allow', 'network.host',
+        '--metadata-file', metadataJson,
+        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
+      ],
+      undefined
+    ],
+    [
+      13,
+      '0.15.0',
+      new Map<string, string>([
+        ['source', '{{defaultContext}}:subdir'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['files', './foo.hcl'],
+      ]),
+      [
+        'bake',
+        'https://github.com/docker/build-push-action.git#refs/heads/master:subdir',
+        '--file', './foo.hcl',
+        '--metadata-file', metadataJson,
+        '--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
+      ],
+      undefined
+    ],
+    [
+      14,
+      '0.15.0',
+      new Map<string, string>([
+        ['source', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false']
+      ]),
+      [
+        'bake',
+        '--metadata-file', metadataJson
+      ],
+      new Map<string, string>([
+        ['BUILDX_NO_DEFAULT_ATTESTATIONS', '1']
+      ])
     ],
   ])(
     '[%d] given %p with %p as inputs, returns %p',
-    async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {
+    async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>, envs: Map<string, string> | undefined) => {
+      if (envs) {
+        envs.forEach((value: string, name: string) => {
+          process.env[name] = value;
+        });
+      }
       inputs.forEach((value: string, name: string) => {
         setInput(name, value);
       });

action.yml

@@ -10,18 +10,21 @@ inputs:
   builder:
     description: "Builder instance"
     required: false
-  source:
-    description: "Context to build from. Can be either local or a remote bake definition"
-    required: false
-  files:
-    description: "List of bake definition files"
-    required: false
   workdir:
     description: "Working directory of bake execution"
     required: false
     default: '.'
-  targets:
-    description: "List of bake targets"
+  source:
+    description: "Context to build from. Can be either local or a remote bake definition"
+    required: false
+  allow:
+    description: "Allow build to access specified resources (e.g., network.host)"
+    required: false
+  call:
+    description: "Set method for evaluating build (e.g., check)"
+    required: false
+  files:
+    description: "List of bake definition files"
     required: false
   no-cache:
     description: "Do not use cache when building the image"
@@ -48,6 +51,9 @@ inputs:
   set:
     description: "List of targets values to override (eg. targetpattern.key=value)"
     required: false
+  targets:
+    description: "List of bake targets"
+    required: false
   github-token:
     description: "API token used to authenticate to a Git repository for remote definitions"
     default: ${{ github.token }}

dist/licenses.txt

@@ -2358,9 +2358,6 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 
-dot-object
-MIT
-
 encoding
 MIT
 Copyright (c) 2012-2014 Andris Reinman
@@ -3691,9 +3688,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
 
-twirp-ts
-MIT
-
 undici
 MIT
 MIT License

docker-bake.hcl

@@ -1,3 +1,9 @@
+target "_common" {
+  args = {
+    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
+  }
+}
+
 group "default" {
   targets = ["build"]
 }
@@ -11,42 +17,49 @@ group "validate" {
 }
 
 target "build" {
+  inherits = ["_common"]
   dockerfile = "dev.Dockerfile"
   target = "build-update"
   output = ["."]
 }
 
 target "build-validate" {
+  inherits = ["_common"]
   dockerfile = "dev.Dockerfile"
   target = "build-validate"
   output = ["type=cacheonly"]
 }
 
 target "format" {
+  inherits = ["_common"]
   dockerfile = "dev.Dockerfile"
   target = "format-update"
   output = ["."]
 }
 
 target "lint" {
+  inherits = ["_common"]
   dockerfile = "dev.Dockerfile"
   target = "lint"
   output = ["type=cacheonly"]
 }
 
 target "vendor" {
+  inherits = ["_common"]
   dockerfile = "dev.Dockerfile"
   target = "vendor-update"
   output = ["."]
 }
 
 target "vendor-validate" {
+  inherits = ["_common"]
   dockerfile = "dev.Dockerfile"
   target = "vendor-validate"
   output = ["type=cacheonly"]
 }
 
 target "test" {
+  inherits = ["_common"]
   dockerfile = "dev.Dockerfile"
   target = "test-coverage"
   output = ["./coverage"]

package.json

@@ -24,25 +24,25 @@
   ],
   "author": "Docker Inc.",
   "license": "Apache-2.0",
-  "packageManager": "yarn@3.6.3",
+  "packageManager": "yarn@4.9.2",
   "dependencies": {
-    "@actions/core": "^1.10.1",
-    "@docker/actions-toolkit": "^0.28.0",
+    "@actions/core": "^1.11.1",
+    "@docker/actions-toolkit": "^0.63.0",
     "handlebars": "^4.7.8"
   },
   "devDependencies": {
-    "@types/node": "^20.12.12",
-    "@typescript-eslint/eslint-plugin": "^7.9.0",
-    "@typescript-eslint/parser": "^7.9.0",
-    "@vercel/ncc": "^0.38.1",
-    "eslint": "^8.57.0",
-    "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-jest": "^28.5.0",
-    "eslint-plugin-prettier": "^5.1.3",
+    "@types/node": "^20.19.9",
+    "@typescript-eslint/eslint-plugin": "^7.18.0",
+    "@typescript-eslint/parser": "^7.18.0",
+    "@vercel/ncc": "^0.38.3",
+    "eslint": "^8.57.1",
+    "eslint-config-prettier": "^9.1.2",
+    "eslint-plugin-jest": "^28.14.0",
+    "eslint-plugin-prettier": "^5.5.4",
     "jest": "^29.7.0",
-    "prettier": "^3.2.5",
-    "ts-jest": "^29.1.2",
+    "prettier": "^3.6.2",
+    "ts-jest": "^29.4.1",
     "ts-node": "^10.9.2",
-    "typescript": "^5.4.5"
+    "typescript": "^5.9.2"
   }
 }

src/context.ts

@@ -12,9 +12,11 @@ import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
 
 export interface Inputs {
   builder: string;
-  files: string[];
   workdir: string;
-  targets: string[];
+  source: string;
+  allow: string[];
+  call: string;
+  files: string[];
   'no-cache': boolean;
   pull: boolean;
   load: boolean;
@@ -22,16 +24,18 @@ export interface Inputs {
   push: boolean;
   sbom: string;
   set: string[];
-  source: string;
+  targets: string[];
   'github-token': string;
 }
 
 export async function getInputs(): Promise<Inputs> {
   return {
     builder: core.getInput('builder'),
-    files: Util.getInputList('files'),
     workdir: core.getInput('workdir') || '.',
-    targets: Util.getInputList('targets'),
+    source: getSourceInput('source'),
+    allow: Util.getInputList('allow'),
+    call: core.getInput('call'),
+    files: Util.getInputList('files'),
     'no-cache': core.getBooleanInput('no-cache'),
     pull: core.getBooleanInput('pull'),
     load: core.getBooleanInput('load'),
@@ -39,33 +43,11 @@ export async function getInputs(): Promise<Inputs> {
     push: core.getBooleanInput('push'),
     sbom: core.getInput('sbom'),
     set: Util.getInputList('set', {ignoreComma: true, quote: false}),
-    source: getSourceInput('source'),
+    targets: Util.getInputList('targets'),
     'github-token': core.getInput('github-token')
   };
 }
 
-export function sanitizeInputs(inputs: Inputs) {
-  const res = {};
-  for (const key of Object.keys(inputs)) {
-    if (key === 'github-token') {
-      continue;
-    }
-    const value: string | string[] | boolean = inputs[key];
-    if (typeof value === 'boolean' && value === false) {
-      continue;
-    } else if (Array.isArray(value) && value.length === 0) {
-      continue;
-    } else if (!value) {
-      continue;
-    }
-    if (key === 'workdir' && value === '.') {
-      continue;
-    }
-    res[key] = value;
-  }
-  return res;
-}
-
 export async function getArgs(inputs: Inputs, definition: BakeDefinition, toolkit: Toolkit): Promise<Array<string>> {
   // prettier-ignore
   return [
@@ -80,6 +62,21 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
   if (inputs.source) {
     args.push(inputs.source);
   }
+  if (await toolkit.buildx.versionSatisfies('>=0.17.0')) {
+    if (await toolkit.buildx.versionSatisfies('>=0.18.0')) {
+      // allow filesystem entitlements by default
+      inputs.allow.push('fs=*');
+    }
+    await Util.asyncForEach(inputs.allow, async allow => {
+      args.push('--allow', allow);
+    });
+  }
+  if (inputs.call) {
+    if (!(await toolkit.buildx.versionSatisfies('>=0.16.0'))) {
+      throw new Error(`Buildx >= 0.16.0 is required to use the call flag.`);
+    }
+    args.push('--call', inputs.call);
+  }
   await Util.asyncForEach(inputs.files, async file => {
     args.push('--file', file);
   });
@@ -92,7 +89,7 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
   if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
     if (inputs.provenance) {
       args.push('--provenance', inputs.provenance);
-    } else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(definition, inputs.load)) {
+    } else if (!noDefaultAttestations() && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(definition, inputs.load)) {
       // if provenance not specified and BuildKit version compatible for
       // attestation, set default provenance. Also needs to make sure user
       // doesn't want to explicitly load the image to docker.
@@ -136,8 +133,18 @@ function getSourceInput(name: string): string {
   let source = handlebars.compile(core.getInput(name))({
     defaultContext: Context.gitContext()
   });
+  if (!source) {
+    source = Context.gitContext();
+  }
   if (source === '.') {
     source = '';
   }
   return source;
 }
+
+function noDefaultAttestations(): boolean {
+  if (process.env.BUILDX_NO_DEFAULT_ATTESTATIONS) {
+    return Util.parseBool(process.env.BUILDX_NO_DEFAULT_ATTESTATIONS);
+  }
+  return false;
+}

src/main.ts

@@ -13,7 +13,9 @@ import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
 import {Util} from '@docker/actions-toolkit/lib/util';
 
 import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
+import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder';
 import {ConfigFile} from '@docker/actions-toolkit/lib/types/docker/docker';
+import {UploadArtifactResponse} from '@docker/actions-toolkit/lib/types/github';
 
 import * as context from './context';
 import * as stateHelper from './state-helper';
@@ -24,8 +26,8 @@ actionsToolkit.run(
     const startedTime = new Date();
 
     const inputs: context.Inputs = await context.getInputs();
+    stateHelper.setSummaryInputs(inputs);
     core.debug(`inputs: ${JSON.stringify(inputs)}`);
-    stateHelper.setInputs(inputs);
 
     const toolkit = new Toolkit();
     const gitAuthToken = process.env.BUILDX_BAKE_GIT_AUTH_TOKEN ?? inputs['github-token'];
@@ -83,16 +85,19 @@ actionsToolkit.run(
       await toolkit.buildx.printVersion();
     });
 
+    let builder: BuilderInfo;
     await core.group(`Builder info`, async () => {
-      const builder = await toolkit.builder.inspect(inputs.builder);
+      builder = await toolkit.builder.inspect(inputs.builder);
+      stateHelper.setBuilderDriver(builder.driver ?? '');
+      stateHelper.setBuilderEndpoint(builder.nodes?.[0]?.endpoint ?? '');
       core.info(JSON.stringify(builder, null, 2));
-      stateHelper.setBuilder(builder);
     });
 
     let definition: BakeDefinition | undefined;
     await core.group(`Parsing raw definition`, async () => {
       definition = await toolkit.buildxBake.getDefinition(
         {
+          allow: inputs.allow,
           files: inputs.files,
           load: inputs.load,
           noCache: inputs['no-cache'],
@@ -117,15 +122,21 @@ actionsToolkit.run(
     const args: string[] = await context.getArgs(inputs, definition, toolkit);
     const buildCmd = await toolkit.buildx.getCommand(args);
     const buildEnv = Object.assign({}, process.env, {
-      BUILDX_BAKE_GIT_AUTH_TOKEN: gitAuthToken
+      BUILDX_BAKE_GIT_AUTH_TOKEN: gitAuthToken,
+      BUILDX_METADATA_WARNINGS: 'true'
     }) as {
       [key: string]: string;
     };
 
     await core.group(`Bake definition`, async () => {
-      await Exec.exec(buildCmd.command, [...buildCmd.args, '--print'], {
+      await Exec.getExecOutput(buildCmd.command, [...buildCmd.args, '--print'], {
         cwd: inputs.workdir,
-        env: buildEnv
+        env: buildEnv,
+        ignoreReturnCode: true
+      }).then(res => {
+        if (res.stderr.length > 0 && res.exitCode != 0) {
+          throw Error(res.stderr);
+        }
       });
     });
 
@@ -135,8 +146,26 @@ actionsToolkit.run(
       env: buildEnv,
       ignoreReturnCode: true
     }).then(res => {
-      if (res.stderr.length > 0 && res.exitCode != 0) {
-        err = Error(`buildx bake failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+      if (res.exitCode != 0) {
+        if (inputs.call && inputs.call === 'check' && res.stdout.length > 0) {
+          // checks warnings are printed to stdout: https://github.com/docker/buildx/pull/2647
+          // with bake we can have multiple targets being checked so we need to
+          // count the total number of warnings
+          const totalWarnings = [...res.stdout.matchAll(/^Check complete, (\d+) warnings? (?:has|have) been found!/gm)].reduce((sum, m) => sum + parseInt(m[1], 10), 0);
+          if (totalWarnings > 0) {
+            // https://github.com/docker/buildx/blob/1e50e8ddabe108f009b9925e13a321d7c8f99f26/commands/build.go#L797-L803
+            if (totalWarnings === 1) {
+              err = Error(`Check complete, ${totalWarnings} warning has been found!`);
+            } else {
+              err = Error(`Check complete, ${totalWarnings} warnings have been found!`);
+            }
+          } else {
+            // if there are no warnings found, return the first line of stdout
+            err = Error(res.stdout.split('\n')[0]?.trim());
+          }
+        } else if (res.stderr.length > 0) {
+          err = Error(`buildx bake failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+        }
       }
     });
 
@@ -148,50 +177,90 @@ actionsToolkit.run(
         core.setOutput('metadata', metadatadt);
       });
     }
+
+    let refs: Array<string> = [];
     await core.group(`Build references`, async () => {
-      const refs = await buildRefs(toolkit, startedTime, inputs.builder);
-      if (refs) {
+      refs = await buildRefs(toolkit, startedTime, inputs.builder);
+      if (refs.length > 0) {
         for (const ref of refs) {
           core.info(ref);
         }
         stateHelper.setBuildRefs(refs);
       } else {
-        core.warning('No build refs found');
+        core.info('No build references found');
       }
     });
+
+    if (buildChecksAnnotationsEnabled()) {
+      const warnings = toolkit.buildxBake.resolveWarnings(metadata);
+      if (refs.length > 0 && warnings && warnings.length > 0) {
+        const annotations = await Buildx.convertWarningsToGitHubAnnotations(warnings, refs);
+        core.debug(`annotations: ${JSON.stringify(annotations, null, 2)}`);
+        if (annotations && annotations.length > 0) {
+          await core.group(`Generating GitHub annotations (${annotations.length} build checks found)`, async () => {
+            for (const annotation of annotations) {
+              core.warning(annotation.message, annotation);
+            }
+          });
+        }
+      }
+    }
+
+    await core.group(`Check build summary support`, async () => {
+      if (!buildSummaryEnabled()) {
+        core.info('Build summary disabled');
+      } else if (inputs.call && inputs.call !== 'build') {
+        core.info(`Build summary skipped for ${inputs.call} subrequest`);
+      } else if (GitHub.isGHES) {
+        core.info('Build summary is not yet supported on GHES');
+      } else if (!(await toolkit.buildx.versionSatisfies('>=0.13.0'))) {
+        core.info('Build summary requires Buildx >= 0.13.0');
+      } else if (refs.length == 0) {
+        core.info('Build summary requires at least one build reference');
+      } else {
+        core.info('Build summary supported!');
+        stateHelper.setSummarySupported();
+      }
+    });
+
     if (err) {
       throw err;
     }
   },
   // post
   async () => {
-    if (stateHelper.buildRefs.length > 0) {
+    if (stateHelper.isSummarySupported) {
       await core.group(`Generating build summary`, async () => {
-        if (process.env.DOCKER_BUILD_NO_SUMMARY && Util.parseBool(process.env.DOCKER_BUILD_NO_SUMMARY)) {
-          core.info('Summary disabled');
-          return;
-        }
-        if (stateHelper.builder && stateHelper.builder.driver === 'cloud') {
-          core.info('Summary is not yet supported with Docker Build Cloud');
-          return;
-        }
         try {
-          const exportRetentionDays = buildExportRetentionDays();
+          const recordUploadEnabled = buildRecordUploadEnabled();
+          let recordRetentionDays: number | undefined;
+          if (recordUploadEnabled) {
+            recordRetentionDays = buildRecordRetentionDays();
+          }
+
           const buildxHistory = new BuildxHistory();
           const exportRes = await buildxHistory.export({
-            refs: stateHelper.buildRefs
-          });
-          core.info(`Build records exported to ${exportRes.dockerbuildFilename} (${Util.formatFileSize(exportRes.dockerbuildSize)})`);
-          const uploadRes = await GitHub.uploadArtifact({
-            filename: exportRes.dockerbuildFilename,
-            mimeType: 'application/gzip',
-            retentionDays: exportRetentionDays
+            refs: stateHelper.buildRefs,
+            useContainer: buildExportLegacy()
           });
+          core.info(`Build records written to ${exportRes.dockerbuildFilename} (${Util.formatFileSize(exportRes.dockerbuildSize)})`);
+
+          let uploadRes: UploadArtifactResponse | undefined;
+          if (recordUploadEnabled) {
+            uploadRes = await GitHub.uploadArtifact({
+              filename: exportRes.dockerbuildFilename,
+              mimeType: 'application/gzip',
+              retentionDays: recordRetentionDays
+            });
+          }
+
           await GitHub.writeBuildSummary({
             exportRes: exportRes,
             uploadRes: uploadRes,
-            inputs: stateHelper.inputs,
-            bakeDefinition: stateHelper.bakeDefinition
+            inputs: stateHelper.summaryInputs,
+            bakeDefinition: stateHelper.bakeDefinition,
+            driver: stateHelper.builderDriver,
+            endpoint: stateHelper.builderEndpoint
           });
         } catch (e) {
           core.warning(e.message);
@@ -231,12 +300,50 @@ async function buildRefs(toolkit: Toolkit, since: Date, builder?: string): Promi
   return refs;
 }
 
-function buildExportRetentionDays(): number | undefined {
+function buildChecksAnnotationsEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_CHECKS_ANNOTATIONS) {
+    return Util.parseBool(process.env.DOCKER_BUILD_CHECKS_ANNOTATIONS);
+  }
+  return true;
+}
+
+function buildSummaryEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_NO_SUMMARY) {
+    core.warning('DOCKER_BUILD_NO_SUMMARY is deprecated. Set DOCKER_BUILD_SUMMARY to false instead.');
+    return !Util.parseBool(process.env.DOCKER_BUILD_NO_SUMMARY);
+  } else if (process.env.DOCKER_BUILD_SUMMARY) {
+    return Util.parseBool(process.env.DOCKER_BUILD_SUMMARY);
+  }
+  return true;
+}
+
+function buildRecordUploadEnabled(): boolean {
+  if (process.env.DOCKER_BUILD_RECORD_UPLOAD) {
+    return Util.parseBool(process.env.DOCKER_BUILD_RECORD_UPLOAD);
+  }
+  return true;
+}
+
+function buildRecordRetentionDays(): number | undefined {
+  let val: string | undefined;
   if (process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS) {
-    const res = parseInt(process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS);
+    core.warning('DOCKER_BUILD_EXPORT_RETENTION_DAYS is deprecated. Use DOCKER_BUILD_RECORD_RETENTION_DAYS instead.');
+    val = process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS;
+  } else if (process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS) {
+    val = process.env.DOCKER_BUILD_RECORD_RETENTION_DAYS;
+  }
+  if (val) {
+    const res = parseInt(val);
     if (isNaN(res)) {
-      throw Error(`Invalid build export retention days: ${process.env.DOCKER_BUILD_EXPORT_RETENTION_DAYS}`);
+      throw Error(`Invalid build record retention days: ${val}`);
     }
     return res;
   }
 }
+
+function buildExportLegacy(): boolean {
+  if (process.env.DOCKER_BUILD_EXPORT_LEGACY) {
+    return Util.parseBool(process.env.DOCKER_BUILD_EXPORT_LEGACY);
+  }
+  return false;
+}

src/state-helper.ts

@@ -1,26 +1,29 @@
 import * as core from '@actions/core';
 
 import {BakeDefinition} from '@docker/actions-toolkit/lib/types/buildx/bake';
-import {BuilderInfo} from '@docker/actions-toolkit/lib/types/buildx/builder';
 
-import {Inputs, sanitizeInputs} from './context';
+import {Inputs} from './context';
 
 export const tmpDir = process.env['STATE_tmpDir'] || '';
-export const inputs = process.env['STATE_inputs'] ? JSON.parse(process.env['STATE_inputs']) : undefined;
-export const builder = process.env['STATE_builder'] ? <BuilderInfo>JSON.parse(process.env['STATE_builder']) : undefined;
+
+export const builderDriver = process.env['STATE_builderDriver'] || '';
+export const builderEndpoint = process.env['STATE_builderEndpoint'] || '';
+export const summaryInputs = process.env['STATE_summaryInputs'] ? JSON.parse(process.env['STATE_summaryInputs']) : undefined;
 export const bakeDefinition = process.env['STATE_bakeDefinition'] ? <BakeDefinition>JSON.parse(process.env['STATE_bakeDefinition']) : undefined;
+
 export const buildRefs = process.env['STATE_buildRefs'] ? process.env['STATE_buildRefs'].split(',') : [];
+export const isSummarySupported = !!process.env['STATE_isSummarySupported'];
 
 export function setTmpDir(tmpDir: string) {
   core.saveState('tmpDir', tmpDir);
 }
 
-export function setInputs(inputs: Inputs) {
-  core.saveState('inputs', JSON.stringify(sanitizeInputs(inputs)));
+export function setBuilderDriver(builderDriver: string) {
+  core.saveState('builderDriver', builderDriver);
 }
 
-export function setBuilder(builder: BuilderInfo) {
-  core.saveState('builder', JSON.stringify(builder));
+export function setBuilderEndpoint(builderEndpoint: string) {
+  core.saveState('builderEndpoint', builderEndpoint);
 }
 
 export function setBakeDefinition(bakeDefinition: BakeDefinition) {
@@ -30,3 +33,26 @@ export function setBakeDefinition(bakeDefinition: BakeDefinition) {
 export function setBuildRefs(buildRefs: Array<string>) {
   core.saveState('buildRefs', buildRefs.join(','));
 }
+
+export function setSummarySupported() {
+  core.saveState('isSummarySupported', 'true');
+}
+
+export function setSummaryInputs(inputs: Inputs) {
+  const res = {};
+  for (const key of Object.keys(inputs)) {
+    if (key === 'github-token') {
+      continue;
+    }
+    const value: string | string[] | boolean = inputs[key];
+    if (typeof value === 'boolean' && !value) {
+      continue;
+    } else if (Array.isArray(value) && value.length === 0) {
+      continue;
+    } else if (!value) {
+      continue;
+    }
+    res[key] = value;
+  }
+  core.saveState('summaryInputs', JSON.stringify(res));
+}

subaction/list-targets/README.md

@@ -0,0 +1,86 @@
+> [!WARNING]
+> `docker/bake-action/subaction/list-targets` is deprecated and will be removed
+> in a future release. Please use [`docker/bake-action/subaction/matrix`](../matrix)
+> instead.
+
+## About
+
+This subaction generates a list of Bake targets that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix),
+so you can distribute your builds across multiple runners.
+
+![Screenshot](../../.github/subaction-list-targets.png)
+
+___
+
+* [Usage](#usage)
+* [Customizing](#customizing)
+  * [inputs](#inputs)
+  * [outputs](#outputs)
+
+## Usage
+
+```hcl
+# docker-bake.hcl
+group "validate" {
+  targets = ["lint", "doctoc"]
+}
+
+target "lint" {
+  target = "lint"
+}
+
+target "doctoc" {
+  target = "doctoc"
+}
+```
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      targets: ${{ steps.generate.outputs.targets }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: List targets
+        id: generate
+        uses: docker/bake-action/subaction/list-targets@v6
+        with:
+          target: validate
+
+  validate:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        target: ${{ fromJson(needs.prepare.outputs.targets) }}
+    steps:
+      -
+        name: Validate
+        uses: docker/bake-action@v6
+        with:
+          targets: ${{ matrix.target }}
+```
+
+## Customizing
+
+### inputs
+
+| Name         | Type        | Description                                                                                                                                 |
+|--------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------|
+| `workdir`    | String      | Working directory to use (defaults to `.`)                                                                                                  |
+| `files`      | List/CSV    | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/)                                              |
+| `target`     | String      | The target to use within the bake file                                                                                                      |
+
+### outputs
+
+The following outputs are available
+
+| Name       | Type     | Description               |
+|------------|----------|---------------------------|
+| `targets`  | List/CSV | List of extracted targets |

subaction/list-targets/action.yml

@@ -26,12 +26,23 @@ runs:
       name: Generate
       id: generate
       uses: actions/github-script@v7
+      env:
+        INPUT_WORKDIR: ${{ inputs.workdir }}
+        INPUT_FILES: ${{ inputs.files }}
+        INPUT_TARGET: ${{ inputs.target }}
       with:
         script: |
-          let def;
-          const files = `${{ inputs.files }}` ? `${{ inputs.files }}`.split(',') : [];
-          const target = `${{ inputs.target }}`;
+          core.warning(`docker/bake-action/subaction/list-targets is deprecated and will be removed in a future release. Please use docker/bake-action/subaction/matrix instead.`);
 
+          function getInputList(name) {
+            return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
+          }
+
+          const workdir = core.getInput('workdir');
+          const files = getInputList('files');
+          const target = core.getInput('target');
+
+          let def = {};
           await core.group(`Validating definition`, async () => {
             let args = ['buildx', 'bake'];
             for (const file of files) {
@@ -45,7 +56,7 @@ runs:
             const res = await exec.getExecOutput('docker', args, {
               ignoreReturnCode: true,
               silent: true,
-              cwd: `${{ inputs.workdir }}`
+              cwd: workdir
             });
             if (res.stderr.length > 0 && res.exitCode != 0) {
               throw new Error(res.stderr);

subaction/matrix/README.md

@@ -0,0 +1,140 @@
+## About
+
+This subaction generates a multi-dimension matrix that can be used in a [GitHub matrix](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix)
+through the [`include` property](https://docs.github.com/en/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow#expanding-or-adding-matrix-configurations)
+so you can distribute your builds across multiple runners.
+
+![Screenshot](../../.github/subaction-matrix.png)
+
+___
+
+* [Usage](#usage)
+* [Customizing](#customizing)
+  * [inputs](#inputs)
+  * [outputs](#outputs)
+
+## Usage
+
+### List targets
+
+```hcl
+# docker-bake.hcl
+group "validate" {
+  targets = ["lint", "doctoc"]
+}
+
+target "lint" {
+  target = "lint"
+}
+
+target "doctoc" {
+  target = "doctoc"
+}
+```
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Generate matrix
+        id: generate
+        uses: docker/bake-action/subaction/matrix@v6
+        with:
+          target: validate
+
+  validate:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    steps:
+      -
+        name: Validate
+        uses: docker/bake-action@v6
+        with:
+          targets: ${{ matrix.target }}
+```
+
+### Platforms split
+
+```hcl
+# docker-bake.hcl
+target "lint" {
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  output = ["type=cacheonly"]
+  platforms = [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm64",
+    "linux/s390x",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "windows/amd64",
+    "windows/arm64"
+  ]
+}
+```
+
+```yaml
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Generate matrix
+        id: generate
+        uses: docker/bake-action/subaction/matrix@v6
+        with:
+          target: lint
+          fields: platforms
+
+  lint:
+    runs-on: ${{ startsWith(matrix.platforms, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    steps:
+      -
+        name: Lint
+        uses: docker/bake-action@v6
+        with:
+          targets: ${{ matrix.target }}
+          set: |
+            *.platform=${{ matrix.platforms }}
+```
+
+## Customizing
+
+### inputs
+
+| Name      | Type     | Description                                                                                    |
+|-----------|----------|------------------------------------------------------------------------------------------------|
+| `workdir` | String   | Working directory to use (defaults to `.`)                                                     |
+| `files`   | List/CSV | List of [bake definition files](https://docs.docker.com/build/customize/bake/file-definition/) |
+| `target`  | String   | The target to use within the bake file                                                         |
+| `fields`  | String   | List of extra fields to include in the matrix                                                  |
+
+### outputs
+
+| Name     | Type | Description          |
+|----------|------|----------------------|
+| `matrix` | JSON | Matrix configuration |

subaction/matrix/action.yml

@@ -0,0 +1,101 @@
+# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions
+name: 'Matrix'
+description: 'Generate a matrix from a Bake definition to help distributing builds in your workflow'
+
+inputs:
+  workdir:
+    description: Working directory
+    default: '.'
+    required: false
+  files:
+    description: List of Bake files
+    required: false
+  target:
+    description: Bake target
+    required: false
+  fields:
+    description: List of extra fields to include in the matrix
+    required: false
+
+outputs:
+  matrix:
+    description: Matrix configuration
+    value: ${{ steps.generate.outputs.includes }}
+
+runs:
+  using: composite
+  steps:
+    -
+      name: Generate
+      id: generate
+      uses: actions/github-script@v7
+      env:
+        INPUT_WORKDIR: ${{ inputs.workdir }}
+        INPUT_FILES: ${{ inputs.files }}
+        INPUT_TARGET: ${{ inputs.target }}
+        INPUT_FIELDS: ${{ inputs.fields }}
+      with:
+        script: |
+          function getInputList(name) {
+            return core.getInput(name) ? core.getInput(name).split(/[\r?\n,]+/).filter(x => x !== '') : [];
+          }
+
+          const workdir = core.getInput('workdir');
+          const files = getInputList('files');
+          const target = core.getInput('target');
+          const fields = getInputList('fields');
+
+          let def = {};
+          await core.group(`Parsing definition`, async () => {
+            let args = ['buildx', 'bake'];
+            for (const file of files) {
+              args.push('--file', file);
+            }
+            if (target) {
+              args.push(target);
+            }
+            args.push('--print');
+            const res = await exec.getExecOutput('docker', args, {
+              ignoreReturnCode: true,
+              silent: true,
+              cwd: workdir
+            });
+            if (res.stderr.length > 0 && res.exitCode != 0) {
+              throw new Error(res.stderr);
+            }
+            def = JSON.parse(res.stdout.trim());
+            core.info(JSON.stringify(def, null, 2));
+          });
+
+          await core.group(`Generating matrix`, async () => {
+            const result = [];
+            for (const targetName of Object.keys(def.target)) {
+              const target = def.target[targetName];
+              const entry = { target: targetName };
+              if (fields.length === 0) {
+                result.push({ ...entry });
+                continue;
+              }
+              let fieldFound = false;
+              Object.keys(target).forEach(field => {
+                if (fields.includes(field)) {
+                  fieldFound = true;
+                  const value = target[field];
+                  if (Array.isArray(value)) {
+                    value.forEach((v) => {
+                      entry[field] = v;
+                      result.push({ ...entry });
+                    });
+                  } else {
+                    entry[field] = value;
+                    result.push({ ...entry });
+                  }
+                }
+              });
+              if (!fieldFound) {
+                result.push({ ...entry });
+              }
+            }
+            core.info(JSON.stringify(result, null, 2));
+            core.setOutput('includes', JSON.stringify(result));
+          });

test/config.hcl

@@ -42,3 +42,8 @@ target "app-proxy" {
   inherits = ["app"]
   dockerfile = "proxy.Dockerfile"
 }
+
+target "app-entitlements" {
+  inherits = ["app"]
+  entitlements = ["network.host"]
+}

test/group-with-platform/docker-bake.hcl

@@ -0,0 +1,36 @@
+group "validate" {
+  targets = ["lint", "lint-gopls", "validate-vendor", "validate-docs"]
+}
+
+target "lint" {
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  output = ["type=cacheonly"]
+  platforms = [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm64",
+    "linux/s390x",
+    "linux/ppc64le",
+    "linux/riscv64",
+    "windows/amd64",
+    "windows/arm64"
+  ]
+}
+
+target "lint-gopls" {
+  inherits = ["lint"]
+  target = "gopls-analyze"
+}
+
+target "validate-vendor" {
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
+target "validate-docs" {
+  dockerfile = "./hack/dockerfiles/docs.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}

test/lint-other.Dockerfile

@@ -0,0 +1,10 @@
+frOM busybox as base
+cOpy lint-other.Dockerfile .
+
+froM busybox aS notused
+COPY lint-other.Dockerfile .
+
+from scratch
+COPy --from=base \
+  /lint-other.Dockerfile \
+  /

test/lint.Dockerfile

@@ -0,0 +1,12 @@
+frOM busybox as base
+cOpy lint.Dockerfile .
+
+from scratch
+MAINTAINER moby@example.com
+COPy --from=base \
+  /lint.Dockerfile \
+  /
+
+CMD [ "echo", "Hello, Norway!" ]
+CMD [ "echo", "Hello, Sweden!" ]
+ENTRYPOINT my-program start

test/lint.hcl

@@ -0,0 +1,12 @@
+group "default" {
+  targets = ["lint", "lint-other", "lint-inline"]
+}
+target "lint" {
+  dockerfile = "lint.Dockerfile"
+}
+target "lint-other" {
+  dockerfile = "lint-other.Dockerfile"
+}
+target "lint-inline" {
+  dockerfile-inline = "FRoM alpine\nENTRYPOINT [\"echo\", \"hello\"]"
+}

test/multi-files/docker-bake.hcl

@@ -0,0 +1,15 @@
+group "default" {
+  targets = ["t3"]
+}
+
+target "t3" {
+  name = "${item.tag}"
+  matrix = {
+    item = t3
+  }
+  args = {
+    VERSION = "${item.version}"
+    DUMMY_ARG = "${item.arg}"
+  }
+  tags = ["${item.tag}"]
+}

test/multi-files/docker-bake.json

@@ -0,0 +1,14 @@
+{
+  "t3": [
+    {
+      "version": "v1",
+      "arg": "v1-value",
+      "tag": "v1-tag"
+    },
+    {
+      "version": "v2",
+      "arg": "v2-value",
+      "tag": "v2-tag"
+    }
+  ]
+}